Re: Promiscuous mode detection

[Adam Shostack <adam () netect com>]

        There was a paper at RAID'98 to send false credentials over
the wires, and build honey pots to trap it when someone attempts to
use it.

        You hack login to appear to accept a login/password of
fyodor/ABCDEFGH.  abcdefgh is a string that you send to indicate
source, destination, and time.  If fyodor tries to login, you flag it, 
and see when and where that login went.  This allows you to detect not 
sniffers, but stolen passwords.

Adam


On Thu, Mar 04, 1999 at 09:37:58PM +0000, Bennett Todd wrote:
| The code posted reports whether the machine is it run on has its interface in
| promisc mode; so does "ifconfig -a|grep PROMISC".
| 
| If you want to check other systems, well, the short answer is, you can't, in
| general. This gets discussed a lot:-). Some versions OSes can be detected if
| they are put in promisc mode; a typical style hack is to send a ping to the
| IP broadcast address with a specific destination MAC address not found on
| your net, and listen for answers. I don't know how to gen up such a packet.
| It might suffice to stuff an arp entry into the arp cache for the IP broadcast
| address, I dunno if that would work. May work better if you use the "other"
| bcast addr; e.g. the Linux system I'm looking at now is using the .255 bcast
| addr, so it might work better to try setting the arp entry for the .0 addr to
| some known-absent MAC addr, then try sending a ping at the .0 addr. Anybody
| answers, their interfaces are in promisc, but some OSes might not answer even
| if their IF is promisc.
| 
| -Bennett